General
-
Target
8254bad320e6efd4f780285492d5a5b3.exe
-
Size
337KB
-
Sample
210628-r6f3yht8q2
-
MD5
8254bad320e6efd4f780285492d5a5b3
-
SHA1
2a4f00307de0719241e47e5aa3cb8ed4aeda3f51
-
SHA256
aec980989772ede0dc405ab1f0cc49a0246daaa765a6edf93a54c8e146894546
-
SHA512
dd9deae7bae40a4d04267fcb2616e8f6e89686149c3e38e3ba9af24b6d5243e935270a3be82bcc4415c18b0e926d3a46ba57d6fa642426ecd37746ed3cf7e1ce
Static task
static1
Behavioral task
behavioral1
Sample
8254bad320e6efd4f780285492d5a5b3.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
8254bad320e6efd4f780285492d5a5b3.exe
Resource
win10v20210408
Malware Config
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Extracted
redline
sew
185.215.113.64:8765
Targets
-
-
Target
8254bad320e6efd4f780285492d5a5b3.exe
-
Size
337KB
-
MD5
8254bad320e6efd4f780285492d5a5b3
-
SHA1
2a4f00307de0719241e47e5aa3cb8ed4aeda3f51
-
SHA256
aec980989772ede0dc405ab1f0cc49a0246daaa765a6edf93a54c8e146894546
-
SHA512
dd9deae7bae40a4d04267fcb2616e8f6e89686149c3e38e3ba9af24b6d5243e935270a3be82bcc4415c18b0e926d3a46ba57d6fa642426ecd37746ed3cf7e1ce
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-